Skip to content

Key Ownership in the Cloud: Using Zero Knowledge to Protect Your Data


Customers often wonder if their data is secure in the cloud.

To answer this question, we need to consider two aspects of key ownership:

  • Who owns your encryption keys?
  • Where is data being decrypted?

Knowing the answer to these questions can give you a better understanding of who has access to your data and how you can protect it. 

Here are several common scenarios you might encounter: 

1. Cloud Key Management Service

The first scenario is using a cloud-native key service like AWS Key Management Service or Azure’s Key Vault. This often means your keys are being created, managed, and stored by the cloud service provider (CSP). Although these cloud service providers are reputable, and there’s often no issue with the security practices of the provider, the problem is in ownership.

In this case, the cloud provider owns your encryption keys. Decryption is happening in the cloud, which means the CSP has access to your raw, unencrypted data. 

2. “Bring Your Own Key” Option

Cloud providers have, in recent years, provided a BYOK, or Bring Your Own Key, option. This option allows organizations to create, manage, and store their own keys. “That’s great!” you think. “I have ownership of my keys, so I’m fine, right?”

Unfortunately, when you bring your own key to a cloud service provider, they still have access to your key. Even in the BYOK option, a CSP owns your keys, decryption is happening in the cloud, and the provider has access to your unencrypted data.

3. Cloud HSM

In this scenario, you fully own your keys on a physical hardware security module. You are the only one with administrative access to the keys, but the hardware itself is located in a regional cloud data center. 

In this case, you really do have ownership of your keys. However, the issue arises when trying to use those keys securely. Securely communicating those keys to your applications can be a challenge and the architecture to accomplish this is often complex, similar to having an on-prem HSM. 

The Problem With Not Having Key Ownership

When cloud service providers own your keys, it means, for one, that they have access to your data, which increases your attack surface. If the CSP gets hacked, your keys (and your data) are vulnerable. 

Breaches aside, however, is the issue of ownership. If compelled by law enforcement or national security agencies, cloud service providers are mandated by law to provide customer data. 

As part of the CLOUD Act, CSPs are not required to notify customers when their data is subpoenaed. In other words, your encryption keys can be surrendered without your knowledge. 

Without knowing, your organization could be part of an investigation. Your employees or customers could be engaging in illegal activities, and you would never be notified. There could be activities happening within your organization that could significantly damage your business reputation. And you can’t solve a problem you don’t know about. 

The Solution: Self-Hosted Solution vs. Zero-Knowledge SaaS 

In assessing options for securing your data, you want to make sure it:

  • Gives you complete ownership of your keys, AND
  • Decrypts within your environment

Many enterprise companies opt to use a solution for encryption that is deployed within their own environment. This allows them to both retain ownership and decrypt data securely. However, hosting infrastructure comes with its own challenges. Such a solution can be expensive, difficult to maintain, and a headache for teams to work with, leading to low adoption. 

Until recently, a secure SaaS that could guarantee both complete ownership and encryption within the organization’s environment above had not been widely available. 

Today, however, there is a solution: Zero Knowledge SaaS. A truly Zero Knowledge SaaS solution is designed to allow the customer to retain key ownership, and, thus, full ownership of their data, without having to manage on-prem infrastructure. 

Learn how Cimpress reduced secrets management costs by 70% with a Zero Knowledge SaaS solution.

Introducing Akeyless: True Key Ownership in the Cloud

The Akeyless platform is one of the first of its kind that is widely available for customers. 

  • You don’t need to host your own infrastructure. Akeyless is a SaaS, which means it hosts the infrastructure and tooling you need to securely store your keys.
  • You retain 100% ownership. With a patented technology called DFC™, Akeyless ensures you have a key fragment which only you can access.
  • Encryption is on your terms. Using your own key fragment, both encryption and decryption happen on your infrastructure

Sounds too good to be true?

It’s not. Our founders have spent years in the security industry, and they’ve seen firsthand the challenges that enterprise companies have with key ownership. They have intentionally built Akeyless, a secrets management platform, on patented DFC™ technology that ensures, on a cryptographic level, the security of your keys.

Curious about DFC™ and how we can help? Book a meeting with us today.


See Akeyless in Action

Get a Demo certification folder key